CVE-2014-5399 - OpenCVE

SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Invensys	Wonderware Information Server

Configuration 1 [-]

OR	cpe:2.3:a:invensys:wonderware_information_server:4.0:sp1::::::
	cpe:2.3:a:invensys:wonderware_information_server:4.0:sp1:::portal:::*
	cpe:2.3:a:invensys:wonderware_information_server:4.5:-:portal:::::*
	cpe:2.3:a:invensys:wonderware_information_server:5.0:-:portal:::::*
	cpe:2.3:a:invensys:wonderware_information_server:5.5::::portal:::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/69416
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json
https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02
https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02

History

Fri, 31 Oct 2025 23:30:00 +0000

Type	Values Removed	Values Added
Title		Schneider Electric Wonderware SQL Injection
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-08-28T01:00:00

Updated: 2025-10-31T23:17:37.919Z

Reserved: 2014-08-22T00:00:00

Link: CVE-2014-5399

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-08-28T01:55:03.653

Modified: 2025-11-01T00:15:33.110

Link: CVE-2014-5399

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Wonderware Information Server Portal", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "4.0 SP1"}, {"status": "affected", "version": "4.5"}, {"status": "affected", "version": "5.0"}, {"status": "affected", "version": "5.5"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider_electric:wonderware_information_server_portal:4.0_sp1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider_electric:wonderware_information_server_portal:4.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider_electric:wonderware_information_server_portal:5.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider_electric:wonderware_information_server_portal:5.5:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team"}], "datePublic": "2014-08-26T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."}], "value": "SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-10-31T23:17:37.919Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Schneider Electric has created an update for WIS web pages and \ncomponents to address the vulnerabilities listed in this advisory. \nCustomers using all versions of WIS are affected and should upgrade to \nWIS Version 5.5 and then apply the security update.</p>\n<p>Customers using the affected versions of WIS should set the security \nlevel settings in the Internet browser to \u201cMedium \u2013 High\u201d to minimize \nthe risks presented by these vulnerabilities. In addition, the \nWonderware Information Server Portal can be configured to use HTTPS that\n will require additional steps as documented in the products user \ndocumentation.</p>\n<p>Schneider Electric has released a security bulletin titled \u201cMultiple \nVulnerabilities in Wonderware Information Server LFSEC00000102\u201d to \nannounce the security update, which is available at the following \nlocation:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://gcsresource.invensys.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000102.pdf\">https://gcsresource.invensys.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000102.pdf</a></p>\n\n<br>"}], "value": "Schneider Electric has created an update for WIS web pages and \ncomponents to address the vulnerabilities listed in this advisory. \nCustomers using all versions of WIS are affected and should upgrade to \nWIS Version 5.5 and then apply the security update.\n\n\nCustomers using the affected versions of WIS should set the security \nlevel settings in the Internet browser to \u201cMedium \u2013 High\u201d to minimize \nthe risks presented by these vulnerabilities. In addition, the \nWonderware Information Server Portal can be configured to use HTTPS that\n will require additional steps as documented in the products user \ndocumentation.\n\n\nSchneider Electric has released a security bulletin titled \u201cMultiple \nVulnerabilities in Wonderware Information Server LFSEC00000102\u201d to \nannounce the security update, which is available at the following \nlocation:\n\n\n https://gcsresource.invensys.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000102.pdf"}], "source": {"advisory": "ICSA-14-238-02", "discovery": "EXTERNAL"}, "title": "Schneider Electric Wonderware SQL Injection", "x_generator": {"engine": "Vulnogram 0.4.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2014-2380", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.067Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02"}, {"name": "69416", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/69416"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-5399", "datePublished": "2014-08-28T01:00:00", "dateReserved": "2014-08-22T00:00:00", "dateUpdated": "2025-10-31T23:17:37.919Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invensys:wonderware_information_server:4.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "325DE4D6-7649-4566-BC6E-1F8DC16FF1A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:invensys:wonderware_information_server:4.0:sp1:*:*:portal:*:*:*", "matchCriteriaId": "C8A82967-0AEC-4C46-91D0-92CA332C9C86", "vulnerable": true}, {"criteria": "cpe:2.3:a:invensys:wonderware_information_server:4.5:-:portal:*:*:*:*:*", "matchCriteriaId": "D7292C59-D289-4874-8385-B1B2C246F935", "vulnerable": true}, {"criteria": "cpe:2.3:a:invensys:wonderware_information_server:5.0:-:portal:*:*:*:*:*", "matchCriteriaId": "8EA37129-F327-4EE6-B1FB-BFB0C3C68856", "vulnerable": true}, {"criteria": "cpe:2.3:a:invensys:wonderware_information_server:5.5:*:*:*:portal:*:*:*", "matchCriteriaId": "FFBE9EBE-6678-4AFC-9052-8EC6B319EB7B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 hasta 5.5 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados."}], "id": "CVE-2014-5399", "lastModified": "2025-11-01T00:15:33.110", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-08-28T01:55:03.653", "references": [{"source": "[email protected]", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json"}, {"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/69416"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Secondary"}]}